From nobody Thu Apr 2 07:30:01 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=quarantine dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1774871524; cv=none; d=zohomail.com; s=zohoarc; b=E9IED8Nevvd6XUCXSIlLgF0GnrTExiDnETaER8EHbNvSRY0dmWxJiRnDXvLI+nUjMB2p1eO2jWon6vVn6LvQm0ccvuKPLEMvHK16YQ92UBeT1NXZxI6U0+BrvCh/xc4cz1Ph49+r8RlPAJBJyhJBadLxSPE+9/4nqlg5QPp3iGs= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1774871524; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=N96Cvh9nP6r8XFXHnMsPNyo3ZrU8DUpNDRPrE2edM1c=; b=IZuPTWrxmJbHMbNXrvLEx9V8kBntKijf1+F9yg3Wl2G+oFx3NqrnpHKzwFI8UcpQbjDkexwwJCfP/5HHuVAwK+m90ybT146G6GMo6m/DO2df6IYaXcXamG6OOOoZibcP4J8dltcW08qR0UR+IxURfOqqQg3/i8sQY/Hm5Y+Xtzk= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=quarantine dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1774871524638770.3836474187095; Mon, 30 Mar 2026 04:52:04 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1w7B9q-0004Mg-4d; Mon, 30 Mar 2026 07:51:50 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1w7B8u-0003cB-UV for qemu-devel@nongnu.org; Mon, 30 Mar 2026 07:50:59 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1w7B8s-0005xq-9J for qemu-devel@nongnu.org; Mon, 30 Mar 2026 07:50:52 -0400 Received: from mail-wm1-f69.google.com (mail-wm1-f69.google.com [209.85.128.69]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-180-2Yyro-DEMH62zTrvbSU3tg-1; Mon, 30 Mar 2026 07:50:46 -0400 Received: by mail-wm1-f69.google.com with SMTP id 5b1f17b1804b1-486fe36cf73so33475335e9.1 for ; Mon, 30 Mar 2026 04:50:46 -0700 (PDT) Received: from [192.168.10.48] ([151.49.85.67]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-43cf245f8a3sm19825485f8f.24.2026.03.30.04.50.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 30 Mar 2026 04:50:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1774871447; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=N96Cvh9nP6r8XFXHnMsPNyo3ZrU8DUpNDRPrE2edM1c=; b=EobMz3zA7YsWNdOHQEbQB2W6YV7WXJJkOBVg4fFWthf4+Tp3g7Ozw5P5TYiifziCriLSS0 1U0C+uKuFd1CYcgVPkJ3t2rEETexUFV0uzM5riz/+SUthmdNqW2POw5yurgDelKFDF2wVf SKCQNKjIpTV74kyLtx1UMskf8LpU92w= X-MC-Unique: 2Yyro-DEMH62zTrvbSU3tg-1 X-Mimecast-MFC-AGG-ID: 2Yyro-DEMH62zTrvbSU3tg_1774871445 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=google; t=1774871444; x=1775476244; darn=nongnu.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=N96Cvh9nP6r8XFXHnMsPNyo3ZrU8DUpNDRPrE2edM1c=; b=gWmUOgHjM14MC8DTKb8VQiePPfvpfsVI5zUrLMdA2rbn8qSo63zBppINEOqtB6WhDB j3R8MoG5ZyGRrjO6PujNkXSxvI9shO2j6CxBB4cDqWjKeZiSYXekYOU2fLGmzXpHVrj8 iN225LsmAdoPN8CTplsB4HZ0DYG2g6ZjFLZOQLxKVw7Y3r+w1R0KW5L7Wa78pStHLQQ6 dZccv2Yx4sDymNFlI4i2uErbVn3GuUwXnK2GE4TvstLPwWntlWnoXB0ZX3uC7Jolusr2 ssQgZjQhnHtbnfSPhBOQ5Wjso6jVQnuLerqFWB+VgwpUJL3wI956SoY0gx7HAA9ceozE 7HnQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1774871444; x=1775476244; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=N96Cvh9nP6r8XFXHnMsPNyo3ZrU8DUpNDRPrE2edM1c=; b=JbKfltReGeX0wfH8mt7Qpv+P4qHotBaJ/Cw7CHcvtl2SZF4N8cKoC5LlyZQoix22MN j/IlVrQzjPjIzGy3fnNV6yXioMfemOtyrwPqqr8j2vMBfws93Zp1Oc6DzSlT5j4B5xMa SF5C8s6Zk97x7OxWc5uWc87Q0vCKeFezyWxo6FBhB+oHgxjnUSDmj30dQoUEWb1hHukc SYPnCNftgoIzfFi3Xqj6B25K7+SvuKuuP8gQARhTZIY3Rmj6VGitAJDfD1ZVLVF7Qv0e ViEDJytQYxkrhJu/9okjAb4z21Z3Eq2ypZMX065GYhkQ1npTanY0VnMrwkP560FHWCu1 Ht/w== X-Gm-Message-State: AOJu0Yz+LXSZVNH9fmrZE4hYuMDo2F7ZSB4W3D0472wpMdarafOYOCAX GWeCUDs4fry3ZCcr0kS2wtSVZSnAzBOQYAUmgJrNpr1SvhPSOkt71yAFCfTwBCUATXA18QxukZn 4qykGM9B5aGrlMLgE+YIAqrxoLrU2RJ4Gwu7datA7L+3V91umJ/1cb7bMm+vL3zEFUmLOdi+2Sc 8mnILekGQXDkHCrlUomvzzgtqIFPwSEyE5WGYyOEsF X-Gm-Gg: ATEYQzzbib8TSW1Wu6RWdewTqn9g8Kmh49NkHMKcJ8gkzU6wbLyTSzzYSkNpzTdGFxo TSCRlUZzFP1ZTcG9dGYIbvUjP2F3zkqQofx3ZOR8O1SQ2aqdxQubvzkhB3q0lLMJfFsqi2ojarY nTReEzKe6DzMwx9QRYnMCK/5CibUtCjFhvp6uiQM5oYhby0n6NwwkOGIZu+Y56qBkRgblluhDx0 yX1+N4+MhhHUPRz5UqqfOZM1+bJgLQTpnoWqO0zs3r6QxnOJh4ikX1DNz8uSxLdXXXgoZvTuKQy dEcgoN0tyHcyXYHJrB9B76OEXrq8Gn635DgNtMKQQAHuAiL+QixDbfV4jmwUbTdhcwAzekJEclV ndFkHJzq767jr0TuYJ7C1gZbsBiPOJRrnnZ27Cyg5pWfP27/IID85QHE2RhTQgnpNYrPfBMIHrN XW6SXIHEIby5Tlvl4uzMJE6iPT X-Received: by 2002:a05:600c:4744:b0:485:4278:2558 with SMTP id 5b1f17b1804b1-48727d5a313mr204229935e9.6.1774871443577; Mon, 30 Mar 2026 04:50:43 -0700 (PDT) X-Received: by 2002:a05:600c:4744:b0:485:4278:2558 with SMTP id 5b1f17b1804b1-48727d5a313mr204229495e9.6.1774871443075; Mon, 30 Mar 2026 04:50:43 -0700 (PDT) From: Paolo Bonzini To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org Subject: [PULL 10/12] lsi53c895a: keep lsi_request alive as long as the SCSIRequest Date: Mon, 30 Mar 2026 13:50:14 +0200 Message-ID: <20260330115017.256211-11-pbonzini@redhat.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260330115017.256211-1-pbonzini@redhat.com> References: <20260330115017.256211-1-pbonzini@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.133.124; envelope-from=pbonzini@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -6 X-Spam_score: -0.7 X-Spam_bar: / X-Spam_report: (-0.7 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.54, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.01, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=1, RCVD_IN_VALIDITY_RPBL_BLOCKED=1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1774871526741154100 Content-Type: text/plain; charset="utf-8" To protect against using the lsi_request after SCSIRequest has been freed, keep the HBA-private data alive until the last reference to the SCSIRequest is gone. Because req->hba_private was used (even if just for an assertion) to check that the request was still either current or queued, add a boolean field that is set when the SCSIRequest is cancelled or completed, which is when the lsi_request would have been unqueued. Cc: qemu-stable@nongnu.org Signed-off-by: Paolo Bonzini --- hw/scsi/lsi53c895a.c | 27 ++++++++++++++++----------- 1 file changed, 16 insertions(+), 11 deletions(-) diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c index 1180e601811..b882fc02276 100644 --- a/hw/scsi/lsi53c895a.c +++ b/hw/scsi/lsi53c895a.c @@ -197,6 +197,7 @@ typedef struct lsi_request { uint8_t *dma_buf; uint32_t pending; int out; + bool orphan; QTAILQ_ENTRY(lsi_request) next; } lsi_request; =20 @@ -748,14 +749,20 @@ static lsi_request *lsi_find_by_tag(LSIState *s, uint= 32_t tag) return NULL; } =20 -static void lsi_request_free(LSIState *s, lsi_request *p) +static void lsi_request_orphan(LSIState *s, lsi_request *p) { + p->orphan =3D true; if (p =3D=3D s->current) { s->current =3D NULL; } else { QTAILQ_REMOVE(&s->queue, p, next); } - g_free(p); + scsi_req_unref(p->req); +} + +static void lsi_free_request(SCSIBus *bus, void *priv) +{ + g_free(priv); } =20 static void lsi_request_cancelled(SCSIRequest *req) @@ -763,9 +770,7 @@ static void lsi_request_cancelled(SCSIRequest *req) LSIState *s =3D LSI53C895A(req->bus->qbus.parent); lsi_request *p =3D req->hba_private; =20 - req->hba_private =3D NULL; - lsi_request_free(s, p); - scsi_req_unref(req); + lsi_request_orphan(s, p); } =20 /* Record that data is available for a queued command. Returns zero if @@ -817,9 +822,7 @@ static void lsi_command_complete(SCSIRequest *req, size= _t resid) } =20 if (req->hba_private =3D=3D s->current) { - req->hba_private =3D NULL; - lsi_request_free(s, s->current); - scsi_req_unref(req); + lsi_request_orphan(s, s->current); } if (!stop) { lsi_resume_script(s); @@ -830,10 +833,11 @@ static void lsi_command_complete(SCSIRequest *req, si= ze_t resid) static void lsi_transfer_data(SCSIRequest *req, uint32_t len) { LSIState *s =3D LSI53C895A(req->bus->qbus.parent); + lsi_request *p =3D req->hba_private; int out; =20 - assert(req->hba_private); - if (s->waiting =3D=3D LSI_WAIT_RESELECT || req->hba_private !=3D s->cu= rrent || + assert(!p->orphan); + if (s->waiting =3D=3D LSI_WAIT_RESELECT || p !=3D s->current || (lsi_irq_on_rsl(s) && !(s->scntl1 & LSI_SCNTL1_CON))) { if (lsi_queue_req(s, req, len)) { return; @@ -2325,7 +2329,8 @@ static const struct SCSIBusInfo lsi_scsi_info =3D { =20 .transfer_data =3D lsi_transfer_data, .complete =3D lsi_command_complete, - .cancel =3D lsi_request_cancelled + .cancel =3D lsi_request_cancelled, + .free_request =3D lsi_free_request, }; =20 static void scripts_timer_cb(void *opaque) --=20 2.53.0